Linux 401: intermediate system administration skills Lessons

1. Virtualization in a Linux environment In this lesson, you'll explore virtualization and its benefits in a Linux environment. You'll learn about different types of virtualization available, focusing on KVM and VMwarepopular open source and proprietary virtualization solutions.

Do you feel you know the Linux system inside and out? Are you as adept at the command line as the GUI? Push the envelope with Linux 401. This class boosts your Linux skills by teaching you virtualization, PXE mirrors for network updates and automated client deployments. You'll also discover how to implement strong network protection at the perimeter. This class focuses on Debian 5.

2. Building a mirror with PXE It's easy to update Linux on a single computer, but if you have several PCs, you'll find yourself spending a lot of time downloading and installing the same updates from the internet. Learn how to create a local mirror to speed up the update process.

Welcome

Virtualization in a Linux environment

3. Installing Linux clients over the network This lesson teaches you to install Linux on a network using PXE, which creates a standard installation image for deployment onto clients. You'll also learn to build a simple DHCP server using DHCP server software to assign IP addresses on a network. 4. The computer firewall: implementing network protection at the perimeter You can use security policies to keep your internal network safe, but additional measures are needed to stop threats at the perimeter. This lesson covers firewalls and intrusion detection systems for strong network security.

In this lesson, you'll explore virtualization and its benefits in a Linux environment. You'll learn about different types of virtualization available, focusing on KVM and VMwarepopular open source and proprietary virtualization solutions. Welcome to the class. As you might have guessed from the class overview, this class helps you take your advanced Linux knowledge to the next level by introducing some upper-level networking and administration techniques. You'll first learn how virtualization can give you a more productive server and how to set up virtualization using KVM and VMware. You'll move on to installing multiple clients over a network and updating them automatically. Finally, you'll dive into Linux security software by focusing on firewalls and intrusion detection.

What's the best Linux version to use for this class?

This class focuses on the Debian 5 distribution. If you took the previous Linux classes offered by HP, you would have already learned about Debian 5. This class builds on knowledge and skills learned in those classes. If you're using another Linux distribution, such as Ubuntu, Fedora or OpenSUSE, some of the instructions given in this class might require some adjustment for your distribution.

If you're already familiar with Linux as a desktop power user or administrator, you have the necessary skills to do well in this class. However, new Linux users should consider starting with Linux 101 rather than this class.

What this class offers

In four lessons, this class gives you experience using advanced Linux system administration techniques and best practices. Here's what to expect in the lessons:

Each lesson is accompanied by a short assignment and quiz, which are designed to help you more fully understand the numerous concepts covered in this class. Throughout this class, we provide Flash examples. To view these examples, you need the Adobe Flash Player. Keep an eye out for notes with links that say "See how to ____" or something similar. Some of these files may be very large and could take a while to appear or download if you have a slow connection.

Lesson 1 explores virtualization and the benefits to your company. You'll see how to install and create a virtual machine using KVM and VMware Server. Lesson 2 shows you how to efficiently apply operating system updates to several client computers by creating a local mirror using Apache serverthe Linux web server hosting software. Lesson 3 saves you time by explaining how to install client workstations across a network using PXE. You'll also find out how to set up a simple DHCP server. Lesson 4 describes how to ensure the safety of your network and data by enabling firewalls and intrusion detection systems at the perimeter.

Exploring the benefits of virtualization

Now that you understand the landscape of the class, let's dive into the first topic: virtualization.

You might already have heard of virtualization if you've worked within the IT industry. Basically, virtualization is a layer of software that enables you to create one or more virtual machines (VMs), which are fully functioning operating systems that reside on a host. A VM can be a workstation or a server, and it acts like a physical computer. This lesson focuses on creating virtual servers.

Setting up a virtual server in Linux can be quick and easy, mainly because virtualization is built in. Debian contains the popular open source virtualization solution called KVM. You can also use a third-party program, such as VMware Server, to implement VMs in Linux. You can create VMs in KVM or VMware; however, they use slightly different methods. You'll explore both solutions later in this lesson. The key question is: why would a company want to use virtualization? Here are some of the main reasons for doing so: KVM is covered under the General Public License (GPL), which means it's freely available and can be modified without restriction.

Many virtualization options

Because Debian 5 is a free operating system, you can build a powerful virtual environment for the price of a single server.

Develop and test new applications: Software developers, for example, can safely develop and test applications in a virtual environment that mimics a user's actual computer. Test patches before deployment to a production environment: This enables a network administrator to monitor the effects of patches and avoid installing patches and upgrades that cause problems for users. Consolidate servers and save hardware costs: It's easier and more cost-efficient to manage a single physical server that contains several VMs than to maintain several physical machines in your infrastructure. Because each VM acts like a physical computer, you can create one for each type of server you need: file server, web server and so on.

Aside from KVM and VMware, VirtualBox is a great virtualization tool that works with Linux and is easy to set up. If you're virtualizing in a Windows environment, consider Microsoft Hyper-V. You can also run preconfigured VMs in VMware for Linux or VMware Player on any platform. For more information, visit the HP Virtualization

Understanding virtualization terms

Before you look at the details of KVM and VMware, let's explain some of the terminology in use:

KVM: the open source solution

You'll learn more about these and other virtualization terms as you learn how to set up virtualization with KVM and VMware. Let's take a look at KVM first.

Host: This is the primary operating system, which hosts other operating systems. Guest: Each operating system that runs on the host in a VM is called a guest, because it runs as a guest of the primary, or host, operating system. You can run a variety of operating systems as guests. Full virtualization: This is an environment in which hardware is completely virtualized and the guest operating system isn't modified. Para-virtualization: This is an environment in which the guest operating system is modified to redirect virtualization-sensitive operations directly to the VM monitor instead of trapping to it as done in full hardware virtualization. This enables you to use an interface to the VM that can differ from that of the underlying hardware.

with VMware web page. Also check out the HP Virtualization guide and HP Virtualization solutions web pages.

KVM is a virtualization solution that's built into Debian 5. It replaces the previously popular Linux virtualization product called Xen. Whereas Xen is a hypervisor, which means it requires a dedicated kernel to run, KVM is fully integrated into the mainstream kernel and is much easier to implement and use. In this section, you'll see how to install some components you need to run KVM as well as create your first virtual machine.

Preparing KVM
1. 2. 3. 4.

To set up KVM in Debian 5, follow these steps:

Select Applications > Accessories > Terminal to open a terminal window. At the command line, type su - and press Enter to change to the root user. Enter the root password, and then press Enter. Enter the command egrep '(vmx|svm)' color=always /proc/cpuinfo. If nothing displays, your processor doesn't support full hardware virtualization. You may have to upgrade your hardware or use a different computer that does support full hardware virtualization. If several lines of text display regarding either vmx (Intel processor) or svm (AMD processor), continue with the preparation steps. 5. Issue the following commands to download and install the components you need to use KVM: 1. Type y and press Enter when prompted for approval to download files. Advanced Packaging Tools (APT) downloads and installs the required components. 2. Close the terminal window, and then reboot your computer. 3. Log in, open a terminal window and then enter the command ps aux | grep libvirtd. You should see a process running for libvirtd, which means the virtual manager toolkit is ready.

apt-get update apt-get install kvm virt-manager

Before you can create your first virtual machine, you must perform the following steps:

1. Add your user account to the libvirt group. In a terminal window, switch to the root user ( su -) and then enter usermod a G libvirt username . 2. Add a network bridge interface to allow your VMs to appear on the network as if they are real machines. Edit the /etc/network/interfaces file as root and append the following

Change the network details for your specific setup and Internet Protocol (IP) addresses.

code:

auto br0 iface br0 inet static address 192.168.1.202 network 192.168.1.0 netmask 255.255.255.0 broadcast 192.168.1.255 gateway 192.168.1.254 bridge_ports eth0 bridge_stp on bridge_maxwait 0

See how to prepare for virtual machine creation.

Creating a virtual machine

To create a virtual machine:

1. Save the file, restart your machine and then log in after Debian reboots.

1. Select Applications > System Tools > Virtual Machine Manager. A single entry called localhost appears in the Virtual Machine Manager window, as shown in Figure 1-1.

Figure 1-1: The Virtual Machine Manager window. Enlarge image

1. Select localhost, and then click New to start the wizard that helps you create VMs. (By selecting localhost, you're telling KVM that you want to work with VMs on the machine you're currently working on.) Click Forward. 2. Enter a name for your VM to help you distinguish it from other VMs you might create in the future. Click Forward. 3. Choose a virtualization method. If your computer has hardware virtualization features built in, such as Core 2 Duos, recent Xeon processors and recent AMD processors, select Fully Virtualized to make the most of the hardware virtualization features. Click Forward. 4. Figure 1-2 shows a portion of the installation method screen, which allows you to choose how you're going to install the guest operating systemusing physical media, network-based media or network booting using PXE. (See Lesson 3 for more information on PXE, if necessary). For now, select Local install media (ISO image or CDROM), and use the drop-down menus to select Linux as the OS Type and Debian Lenny as the OS Variant. Click Forward.

Figure 1-2: The Choosing installation method screen.

1. In the Locating installation media screen, choose either an ISO that you already downloaded or the installation media you previously burned and inserted in your optical drive. Click Forward. 2. Assign storage space to your VM. You can use some unallocated space on your existing drive, or use a simple file to act as the disk (recommended). By default, all virtual disks are kept in /var/lib/libvirt/images. You can adjust the size of the disk file. However, because you can add additional storage later, keep the file size down at this time. Click Forward. 3. The Connect to host network screen appears. Select the Shared physical device option, then select eth0 (Bridge br0) in the Device list. You created eth0 bridge earlier when you edited the /etc/network/interfaces file. That way, any VM you create will look like it is on your physical network rather than having a unique IP address range. Click Forward.

Figure 1-3: Choosing bridging options. Enlarge image

Be careful. If you increase the RAM too close to the physical memory limit in your computer, you could use all of the free memory, making your PC grind to a halt.

1. The Allocate memory and CPU screen appears. If you're virtualizing another Linux distro, you need at least 512 MB RAM to run the VM. This is the default setting for KVM, but you can increase it if you want. If you have a multi-core system, such as an Intel Core i3, i5 or i7, you can increase the number of CPUs allocated to the VM. One CPU is normally enough to run a virtual instance of Debian. Click Forward.

When Debian finishes installing, you're ready to use the VM as a fully fledged server or desktop. Using the Virtual Machine Manager console, you can configure the VM further by right-clicking it and selecting options. For example, you can assign a password, add additional storage and change the number of virtual processors and amount of allocated memory for the VM.

1. A summary of your choices appears. Verify that all of your selections are correct, and then click Finish. 2. In the Virtual Machine Manager window, select your new VM and then click Open. 3. Debian starts the VM and loads the installer from the optical drive. Install Debian as usual.

VMware tutorial

See how to create a KVM virtual machine.

Now that you've created a VM in KVM, you're ready to learn how to install VMware Server as an alternate form of virtualization. That's covered in the next section. Although KVM is fairly feature-complete, it might seem basic when compared to some virtualization alternatives. Perhaps the most well-known virtualization platform comes from VMware, a company that specializes in virtual infrastructures and is credited with the resurgence of virtualization on x86-based hardware. In 2006, VMware decided to release its product formerly known as GSX Server for free, enabling anyone to download and use it.

Preparation

Before you can install and configure VMware Server for the first time, you need to prepare your environment to ensure a smooth installation. Follow these steps: 1. Open a terminal and switch to the root user. 2. Run apt-get install build-essential. This installs about 48 megabytes (MB) of packages, most of which are essential for VMware configuration. 3. Run apt-get install linux-headers-$(uname -r). This helps with the configuration of VMware Server. 4. Run apt-get install gcc-4.1. This is the version of the GNU C Compiler that you need to successfully compile several modules. 5. At a root prompt, enter export CC=/usr/bin/gcc-4.1. This tells the system that it should use GNU Compiler Collection (GCC) 4.1 for compiling code temporarily. VMware requires some of its modules to be compiled using the same compiler that was used for the kernel, which is 4.1. 6. Unless you're using a different machine, remove KVM by issuing apt-get remove kvm libvirtd. You also need to remove some kernel modules by issuing rmmod kvm_intel && rmmod kvm. 7. Visit the VMware Server website and download the latest VMware Server product. This class uses version 2.0.2 as an example. You must register to receive a serial number. You're not signing up to buy anything, so complete the form and download the Linux tarball (approximately 480 MB) to your local hard disk. 8. Exit the root shell and return to the user prompt ($).

Make a note of the Linux serial number that's generated for you. You'll need it later in the installation process. Also note where the tarball downloads to.

Installing VMware Server

Now that you're prepared for the installation, it's time to perform the steps:

1. Copy the tarball to your home directory using the mv VMware* ~ command.

In case you've forgotten, the tilde character (~) is a shortcut in Linux that refers to your home directory. 1. 2. 3. 4. 5. 6. 7. 8. 9.

When it's up and running, you're ready to create your first virtual machine using VMware.

Configuring VMware Server

Enter the tar -zxvf ~/VMware* command and press Enter to uncompress the archive. Switch to the root user, if necessary, and navigate to your home directory. Change the directory to vmware-server-distrib, and then run ./vmware-install.pl. You're asked several questions during the installation. Accept the defaults (detailed in square brackets) by pressing Enter each time. When you get to the license agreement, use the spacebar to move forward a page at a time. When you reach the end of the agreement, type the word yes and press Enter to agree to it. You might encounter an error regarding a vsock module. You can safely ignore this message because it relates to a new communication path between your VMs and your host networkit's not necessary for VMware to function correctly. Press Enter when prompted. Add networking for your VMs when prompted. This allows your VMs to connect to the rest of the network. Let VMware create a bridge network, a Network Address Translation (NAT) network and a host-only network. Continue accepting the defaults. (Notice that your VMs will be stored in /var/lib/vmware/Virtual Machines/.) When the installation finishes, VMware Server automatically starts its service, along with several other key components. Restart your machine.

VMware Server doesn't appear in the Applications menu in Debian because it runs as a web service, which you access through your browser. You can use Iceweasel by selecting Applications > Internet > Iceweasel, and then enter https://localhost:8333 in the address bar. A Secure Connection Failed warning message appears, telling you that localhost is using an invalid security certificate. You're connecting to your own machine, so don't be concerned. Just click the Or you can add an exception link at the bottom of the page, and then click the Add Exception button. In the Add Security Exception dialog box, click the Get Certificate button. Click the Confirm Security Exception button of the dialog box. This prevents Iceweasel from issuing this alert again, and takes you to a login screen. Log in to VMware Server as the root user. A browser window similar to Figure 1-4 appears.

Figure 1-4: You can control VMware Server almost entirely through a web browser. Enlarge image

Creating a VMware Virtual Machine

With the VMware interface open, you're ready to create a VM:

You can choose to allocate all the space now by clicking File Options and then checking the appropriate box. VMware will create a file big enough to contain the entire disk, whether or not you use the full capacity. Not allocating all of the space allows VMware to automatically grow and shrink the VM file, depending on the space used.

1. Under the Commands section on the right side of the screen, select Create Virtual Machine. 2. The first screen asks you to name your machine. You may find it useful to use the same name as the hostname, to keep things simple. Name your VM, and then click Next. 3. Tell VMware what kind of operating system you'll use in your VM. For now, select Linux Operating System and Other 2.6x Linux (32-bit). VMware officially supports Debian 4, but you're unlikely to encounter problems with Debian 5. Click Next. 4. Choose how much memory to allocate to your VM. You should set this at the recommended size or increase it; 512 MB is the recommended minimum. Unless you have a multi-core processor, leave the processor count at 1. Click Next. 5. In the next screen, define how large the hard disk should be that's allocated to your VM. If you're installing Linux, use 5 GB at a minimum. If you plan to use your VM as a file server, increase the amount of allocated space (the more the better). Click Create a New Virtual Disk to begin, and use the up and down arrows to change the size of the new disk. When you're ready, click Next.

1. An important decision is how your VM will interact with the other systems on your network. Click Add a Network Adaptor and then select the type of network connection based on your requirements. A NAT connection gives your VM its own private network, which is distinct from your physical network. This can be useful if you're planning to create multiple VMs that need to interact with each other but not with any machines on the physical network. A bridged connection connects the VM directly to the physical network and lets it get an IP address from your Dynamic Host Configuration Protocol (DHCP) server. For now, keep NAT as the default and click Next. 2. You'll need to install an operating system on your VM; the easiest way to do this is to allow it to access the optical drive on your computer. Click Use a Physical Drive, and then click Next. On the floppy drive screen, you can click Don't Add a Floppy Drive if you think you'll never use one (most people don't use floppies anymore). 3. The final summary screen appears, displaying your selections. You may want to connect USB devices and use them on your VM, so click Add a USB Controller. Check the Power on your virtual machine now checkbox at the bottom of the screen to power on your new VM when you click the Finish button. 4. Click Finish to create your new VM and power it on. After a short time, you should be greeted by the familiar Debian installer splash screen, as shown in Figure 1-5. The VM window remains open behind the splash screen; you're installing Debian within the virtual environment.

Enlarge image

When you power on your machine, it automatically reads from the optical drive because there's no operating system installed on the virtual hard drive. To direct input to the VM, click within the VM window. To return input to the host, press Ctrl+Alt. At this point, everything runs

the same as if you were installing and using Debian directly on a physical hard disk.

Assignment #1

Moving on

In this lesson, you explored virtualization and how to use KVM and VMware for Linux. In Lesson 2, you'll learn how to create a local mirror to automate Debian client system updates over a network. Before you move on, complete the assignment and take the quiz for this lesson to reinforce important topics and concepts.

Virtualization is a vast topic, and one you could easily spend a lot of time on. In this assignment, you'll focus on a few tasks that are specific to VMware, so ensure you've installed Debian 5 into a VM under VMware Server as described in Lesson 1. One of the features of VMware Server is the ability to take snapshots of VMs, enabling you to capture a VM at a specific point in time. This can be useful if, for example, you're planning to perform a major upgrade and would like a restore point to fall back on if you encounter problems. To create a snapshot, follow these steps: 1. Open the VMware Server management interface in a web browser. 2. Select the VM of your choice in the Inventory pane on the left. 3. Click Take Snapshot in the Commands pane on the right. You can use another distribution for this exercise if you don't have Debian 5 yet. It's recommended that you acquire and install Debian 5 before Lesson 2, if possible.

VMware automatically takes a full snapshot of the VM. You can have only one snapshot at a time, so you should form the habit of taking a snapshot prior to making any major changes to your system.

Taking a VMware snapshot can take some time. However, the process is performed in the background to enable you to keep working. Try installing Debian 5 on a fresh VM and then taking a snapshot. When the snapshot completes, do a full upgrade of your VM system. Once the upgrade is finished, roll back to the snapshot in VMware Server by selecting VM > Snapshot > Revert to Snapshot. VMware reverts the VM back to the preupgrade state, leaving you with a generic Debian 5 installation.

Quiz #1
A) B) C) D)

Another useful feature of VMware VMs is that they're portable and can be easily moved onto other computers that don't need to be running a Linux version of VMware. For example, copy the contents of /var/lib/vmware/Virtual Machines/yourvirtualmachinename to another computer, and then point VMware Player (a free virtualization tool available on the VMware.com website) at the files. You can also do this under a Windows version of VMware Server or Player, or even the commercial VMware Workstation for Windows or Linux, or VMware Fusion for Apple Macs. Question 1: Which of the following describes a guest operating system? Provides resources to your local operating system Allows access for any user

Runs within a virtual environment on a host operating system Allows access to services on your local operating system

Question 2: Which group do you add user accounts to in order to use KVM? A) B) A) B) A) B) A) B) C) D) C) D) Question 3: Why would you deploy a VM? (Check all that apply.) Question 4: True or False: A VM can perform the same functions as a physical machine. Question 5: True or False: KVM is an open source virtualization solution. To develop and test new software To consolidate servers None of the above To test and monitor upgrades and patches True True virtualization kvm libkvm libvirt

Understanding local mirrors

Building a mirror with PXE

False

False

It's easy to update Linux on a single computer, but if you have several PCs, you'll find yourself spending a lot of time downloading and installing the same updates from the internet. Learn how to create a local mirror to speed up the update process. Welcome back! In Lesson 1, you learned about virtualization, the technology that enables you to run several VMs on one physical computer. In this lesson, you'll find out how to create a local mirror to ease the task of installing updates on many clients across a network.

Linux system files and updates are stored on mirrored websites across the internet, each housing the same files. When you need updates and software for your distribution, your computer connects to a mirror site that's geographically close to you, which reduces bandwidth and increases the speed of the download. Manually downloading and installing updates for a few computers running Linux works well. However, what if you have 500 Linux computers, each needing updates? A kernel update, for example, can be about 16 MB, whereas an OpenOffice.org update might be 100 MB. Even with a fast internet connectionsuch as 8 megabits per second (Mbps) for downloadsit would take several minutes to download all of the files. Multiply that by the number of computers you need to update, and you can see it's a time-consuming task to update multiple computers individually. A local mirror is a server in your environment that connects to an internet mirror site, retrieves the updates and then enables you to distribute updates to your client computers on the network. The local mirror is updated frequently, so your clients remain current with little effort on your part. In addition, the local mirror is directly connected to your network with a 100 megabits per second (Mbps) connection or an even faster Gigabit Ethernet connection. This will greatly speed up the distribution of updates to your clients, and it reduces the overall bandwidth you use to retrieve all the updates. Setting up a local mirror using Debian is straightforward but requires a number of intermediate- to advanced-level skills, which you picked up in Linux 201 and 301. Read on to learn how to create a local

Setting up a local mirror

mirror for Debian.

The first requirement for setting up a local security update mirror is a spare computer to use as your server. For purposes of this lesson, it's assumed you already installed Debian 5, either with GNOME or just a command line-based system. It doesn't matter which one you have, because the majority of the work is done at the command line. What's important is that this computer remains on continuously, 24 hours a day, and that it has at least 60 GB of free disk space. It doesn't have to be a particularly powerful computer because it won't be doing a lot of work. Ideally, you should connect your computer to the network via a wired connection, which offers the best speeds. Finally, you must assign a static IP address to the server, because your clients need to be able to connect to it each time they look for updates. A local mirror doesn't work with a dynamic (constantly changing) IP address.

Configuring a static IP address

GUI-based

Let's walk through the process of assigning a static IP address. The steps for a graphical user interface (GUI) are listed first, followed by instructions for a text-based environment. To configure a static IP address in the GNOME GUI:

1. Select System > Administration > Network. Enter the root password if prompted. The Network Configuration (network-admin) utility interface appears, as shown in Figure 2-1, which you use to configure network interfaces.

Figure 2-1: The Network Configuration utility enables you to change your network hardware.

1. Ensure the wired connection network device is highlighted and active, and then click Properties.

This lesson assumes you have only one network interface present on your computer, which is referred to as eth0.

Ensure that the IP address you select isn't in use by any other computers or devices, such as a print server, on your network. 1. 2. 3. 4. 5. 6.

1. By default, Debian selects DHCP for network address configuration, so you'll see this selected unless you've previously selected a static IP address. Select the Static IP addresses option from the Configuration drop-down menu. 2. Determine an address that's easy to remember, such as 192.168.1.200, and then enter it into the IP address field. Enter the correct subnet address in the Subnet mask field. Enter the address of the gateway to the internet, usually your router, in the Gateway address field. Click OK. You're returned to the Network Settings dialog box. Click Close. Select Applications > Accessories > Root Terminal and enter the root password when prompted. In the console, enter the following command to restart the network interface:

The static IP address will be in use once the network has restarted.

Text-based

ifdown eth0 && ifup eth0

If you're using a text-based system, you need to manually edit the network interface configuration file. To configure a static IP address from a command line:

The static IP address will be in use once the network has restarted. Your computer will be assigned a static IP address and is ready to move forward to the next steps.

1. Select Applications > Accessories > Root Terminal. If you're already at a command line, switch to the root user. 2. Type nano /etc/network/interfaces, and then press Enter. 3. Look for the line that covers eth0this is the primary Ethernet interface on your machine. Change the word dhcp to static. 4. On a new line, press the Tab key once and enter address 192.168.1.200 (or a different IP address that no computers or devices are using). 5. Press Enter to move to the next line, and then press Tab to move across the line. 6. Enter gateway 192.168.1.1 (or whatever your gateway address is). 7. Press Enter again to move to the next line, and then press Tab to move across the line. 8. Enter netmask 255.255.255.0. 9. Press Enter and Tab one last time, and then enter the broadcast address for the network, such as broadcast 192.168.1.255. 10. Enter the following command at the command line to restart the network interface:

Installing required components

ifdown eth0 && ifup eth0

Now that your server has a static IP address, you need to install some additional software required to set up the mirror. The first and primary component is Apache Web Server, because you need a web server to allow remote clients to connect to your server. You might already have Apache up and running. If you're not sure, you can check for Apache by opening a terminal window and entering the following command:

This command actually runs two commands: The first one checks whether Apache is installed and, if present, returns the version number. The second command requests the status of Apache. You'll probably see output similar to the following:
dpkg -l | grep apache && /etc/init.d/apache2 status

This means that Apache is installed and is active.

apache2 2.2.9-10+lenny 8... Apache is running (PID 6408)

If you get a message stating that Apache isn't installed, you need to install it by entering the command:

Configuring the mirror

To begin mirror configuration:

It takes a few seconds for Debian to download and install Apache. Apache is configured by default to run in runlevels 3 and 5, meaning that it will work whether you're booted to a graphical interface or a commandline interface. In addition, once Apache is installed, Debian will automatically start the service and allow incoming connections on port 80, the standard HTTP port. No further configuration is needed at this time.
apt-get install apache2

Now that you've assigned a static IP address and installed all of the required components, you're ready to configure the local mirror. That's covered in the next section.

To begin the mirror configuration, open a web browser and enter the static IP address you assigned to your server. A simple message appearsIt Works! Now you need to build a directory structure in which you'll store the mirror data locally. By default, Apache stores information that can be served via HTTP under the /var/www/html directory, so any sub-directories that you need to create should be created in that directory. 1. Create an initial directory by entering the following command at a terminal:

mkdir /var/www/updates

You can substitute any subdirectory name you like after /var/www/. Just make sure you remember it! 1. You also need to ensure that users can read and execute commands in the directory, which is essential for use over the network. Enter the following command: This command checks that the last three letters in the permissions field show r-x, which indicates that everyone (all users) can read and execute commands within the directory. This command creates the directory /var/www/updates, which you'll use to store your update packages.

ls -al /var/www/updates

If your users can't see or execute commands within the directories, run the chmod a+rx /var/www/updates

command.

To download files for the mirror:

1. Install the apt-mirror package using the following command:

apt-get install apt-mirror

deb http://security.debian.org/ lenny/updates main contrib non-free

This line ensures that you download all the necessary updates for Debian.

1. As soon as apt-mirror is installed, edit the /etc/apt/mirrors.list file using vi (vi /etc/apt/mirrors.list). In this file you'll see the configuration that apt-mirror uses. Comment out any lines starting with "deb" or "deb-src" by entering a # before each line. 2. Create a new line with the following text:

1. Press the Escape key, type wq and press Enter to save the changes to the file. 2. At the root prompt, enter the apt-mirror command. The amount of data that will be downloaded is displayed. You're downloading the entire Debian updates catalog, including the main, contrib and non-free repositories. Depending on your specific requirements, you may wish to download only the main repository. If so, delete contrib or non-free from the /etc/apt/mirrors.list file. Because you're downloading a lot of data, which requires a lot of internet bandwidth, it might be more sensible to start the job in the evening and let it run overnight. That way you avoid bogging down users by slowing the internet transfer speed.

Finishing the server

Once the file download is complete, you're ready to finish the local mirror server configuration. That's covered in the next section.

The apt-mirror command lets you spread the download across more than one session. If you kill the session by pressing Ctrl+C (because you run out of time, for example), you can easily start it up again at a later date or time. Apt-mirror will compare its package indices with those it downloaded from the server. It knows which packages must still be downloaded and will resume at that point.

Although apt-mirror is a great tool, it doesn't automatically store the downloaded data in the directory you created earlier in the lesson. You can find all the data under the /var/spool/apt-mirror directory. It's a best practice to use this default to avoid any problems.

Apt-mirror requires a rigid set of sub-folders. Changing the default location or forgetting to create one of the folders are two common problems when using apt-mirror. In addition, the /var/spool area is the correct place to keep data that's downloaded from apt-mirror; the files are in constant flux as packages are updated and changed, so the spool directory is most appropriate.

However, you created a specific directory under the /var/www directory, and there is currently nothing in that directory. The easiest way to get the package information that's in /var/spool/apt-mirror to the /var/www directory is by using symbolic links. These are shortcuts that point browsing of a particular directory to another directory in the filesystem. For example, let's assume you created a symbolic link between /var/spool/apt-mirror and /var/www/updates. When you browse to /var/www/updates and do a directory listing, you'll see the output from the /var/spool/apt-mirror directory, although Debian would treat the files as being located in /var/www/updates. This is very useful, and will save a lot of headaches!

Issue the following command as root: You won't get a message confirming the link has been created, so do a directory listing of the /var/www/updates directory to verify that the link works. You should see a single directory named pool if the link has been successfully created.
ln -s /var/spool/apt-mirror/mirror/ security.debian.org /var/www/updates

As a recap, you have now installed Apache, installed apt-mirror and have started to download your initial packages for your mirror. You've also created the foundation for allowing clients to connect to your mirror to download their updates. You need to do a few more things:

Keeping your mirror up to date

You'll learn how to address both of these tasks in the next two sections.

Make sure your mirror is kept up to date with all the latest packages Configure your clients to communicate with your mirror

The best way to ensure your mirror is kept up to date is to run the apt-mirror command daily, which you can accomplish by using cron to schedule it to run each night automatically. Debian updates its repositories four times a day: at 3 a.m., 9 a.m., 3 p.m. and 9 p.m. Universal Time (UTC, more commonly known as GMT). However, running a daily update is sufficient for most environments. It's important to note that those times are the scheduled start times for the mirror sites to refresh, so it might be an hour or so after those times that the mirrors are fully refreshed.

Open a root terminal window and enter the command crontab -e. This opens the cron configuration in the default editor and, unless you've already configured some cron jobs, it will be mostly blank other than a commented line that provides syntax help. Remember, cron jobs are written in a specific format. You must use the precise format to avoid any problems. It's recommended that you time the apt-mirror update for late at night or whenever you have the fewest number of users on the network. Enter the following command to create the cron job:

This command creates a cron job that runs at midnight every day and downloads new or updated packages using apt-mirror. Because you created the symbolic link between the apt-mirror directory and the /var/www/updates directory, your repository will be automatically updated and ready for use.
0 0 * * * root apt-mirror

Configuring your clients

And that's it for the serveryou now have a fully functional repository that can be used to update your Debian clients. All that remains is configuring your clients to make use of your new repository, which is covered in the next section. To configure your clients, you just need to amend a few configuration files on your clients' computers.

On a client computer, open a terminal window and then change to the root user. The file you need to edit is

named sources.list, which is located in /etc/apt/. Enter the following command:

Because you're going to make some major changes to this file, this command creates a backup in case you need to revert to the original file.
cp /etc/apt/sources.list /etc/apt/sources.list.backup

Use a text editor, such as nano, to open and edit the sources.list file: Look for the line that contains the following:
nano /etc/apt/sources.list

Modify the line as follows to tell APT to look for any updates in your repository:
deb http://security.debian.org lenny/updates

After you've modified that line, press Alt+O and then press Enter to save the file. Exit the text editor and return to the command line.
deb http://192.168.1.200/ lenny/updates main contrib non-free

The final task is to get APT to update its information to ensure that it pulls from your local mirror. Run the following command: Your mirror is now complete, and your first client has been configured. Configure each client by pointing them to the mirror so they can take advantage of it.

Assignment #2
For this assignment:

Moving on

apt-get clean && apt-get update

In this lesson, you learned how to create a local mirror to streamline and automate Debian system updates over a network. Lesson 3 covers PXE, a method of automating client system installations across a network. Before moving on, complete the assignment, the results of which you'll use in Lesson 3, and then take the quiz to help reinforce lesson topics. In Lesson 2, you learned how to create a local mirror for pushing system updates to your network clients running Debian 5. In this assignment, you'll build a local repository of the Debian installation files in preparation for Lesson 3, which covers client workstation installations (the entire client system, not just updates) across a network.

1. Edit the mirrors.list file on your server to uncomment the line that starts with deb http://ftp.us.debian.org. If you're not in the United States, change us to the local ISO country code for your country. If you're not sure what the correct code is, look it up using Wikipedia or another website. 2. Run apt-mirror to download the installation files to your server.

Because the base installation repository occasionally changes, consider adding a cron job to run the apt-mirror command to get critical security updates. However, if you're mirroring the updates and security repositories, the files are downloaded there. Once you've completed this task, you're ready for Lesson 3. 1. Create a new directory under /var/www/ called base. 2. Create a symbolic link between /var/spool/apt-mirror/mirror/ftp.us.debian.org/debian and /var/www.

Challenge assignment

Quiz #2
A) B) A) B) A) B) A) B)

(Optional) Once you have a local mirror functioning, you might want to reduce the frequency at which the system checks for updates. You can do this by changing the last asterisk in the cron line to a number, where 0 equals Sunday. Valid numbers include 0 through 7, because crontab also recognizes 7 as equal to Sunday. You could also instruct crontab to run the command on a Monday, Wednesday, Friday and Sunday by entering 1,3,5,7 in place of the last asterisk. Question 1: True or False: The apt-get command creates a local mirror. True rwx r-r-x -wFalse

Question 2: Which permissions enable users to read your repository and execute commands in the mirror's updates directory? C) D) C) D) C) D) Question 3: Which command do you use to configure a symbolic link? Question 4: Where does apt-mirror keep the local copy of the mirror? /var/apt-mirror /var/spool/mirror /var/spool/apt-mirror /var/spool/debian ln -s sl link -s lk -s

A brief overview of remote booting and installation

Installing Linux clients over the network

This lesson teaches you to install Linux on a network using PXE, which creates a standard installation image for deployment onto clients. You'll also learn to build a simple DHCP server using DHCP server software to assign IP addresses on a network.

Welcome back. In Lesson 2, you learned how to create a local mirror to automate system updates to several clients on a network. This lesson takes you a step further by showing you how to create a network installation server, which enables you to quickly provision new clients without installing from media.

One of the strengths of Debian is its sheer flexibility. If you took Linux 101 through Linux 301, you learned many of the powerful and productive ways in which you can use or modify your system, such as setting up a web server and File Transfer Protocol (FTP) server, and using automation for repetitive tasks. Even when first installing Linux, you learned you can select specific components of the operating system, greatly reducing the number of files and disk space required. However, what if you don't have access to a CD or DVD drive, but you need to install Debian on a PC? Perhaps you have a netbook that doesn't have an optical drive, or maybe you're doing an install-fest as part of a Linux User Group and don't want to carry several discs around to different computers. Help is available in the form of Pre-boot Execution Environment (PXE) booting, a method of installing Debian using your computer's network connection and a local server. Setting up a PXE boot server requires several components, so let's review what's involved.

PXE boot server requirements

One of the primary requirements is the ability to boot using the network. Most computers manufactured within the last five years have this capability, which is built into the Basic Input/Output System (BIOS). To find out if your computer can boot using the network, restart your computer and enter the BIOS before the operating system begins to load. In the BIOS, look for the boot order. Determine if you can change it to use LAN or PXE, either of which will work. The next major component is a DHCP server that's correctly configured for PXE booting. If you have a cable or digital subscriber line (DSL) connection that serves multiple computers, it's likely you have a router installed. It's also highly likely this router is configured to work as a DHCP server, assigning IP addresses to computers on your network.

DHCP works well for assigning IP addresses to end clients but not for transferring files to be used for client installations. For this purpose, you need to use Trivial File Transfer Protocol (TFTP), which is specifically designed for moving small amounts of data between hosts. TFTP differs from its cousin FTP in that it uses User Datagram Protocol (UDP) on port 69 for access. Finally, you need the PXE configuration files for Debian, which you'll download as part of this lesson.

For purposes of this lesson, you'll replace that DHCP server with one you'll build and configure yourself. Running multiple independent DHCP servers on your network can cause IP conflicts for the workstations, and can potentially disrupt the network.

Performing pre-installation configuration

To perform some initial configuration to ensure that everything is ready for the lesson, follow these steps on your local mirror server: 1. Open a terminal window and switch to the root user. 2. To gather all the software you need to create the PXE server, run the following command: This command checks for and includes any software dependencies. Type y and press Enter, if prompted.

apt-get install tftpd-hpa openbsd-inetd dhcp3-server

1. Change to the /var/lib/tftpboot directory. 2. Enter the following command: This command downloads the files you need for PXE booting in Debian using TFTP. Lftp is a lightweight command-line FTP client that makes this process straightforward. If your download gets disrupted for any reason, it will resume when you reconnect.

lftp -c "open http://ftp.us.debian.org/debian/dists/lenny/main/ installer-i386/current/images/; mirror netboot/"

Building a DHCP server for remote installation

When lftp has completed the download you're ready to move on to the first major part of the configuration, which is building a DHCP server for remote installation. It may be worthwhile at this point to briefly cover the steps you're about to take, so you're clear as to what's going to occur. All of the configuration takes place on the computer that's hosting your local mirror. You've installed some packages, and now you're going to write a configuration file for the DHCP server. You'll follow up by configuring the xinetd daemon for usage, and then you'll configure a PXE image by editing a configuration file. As mentioned previously, you probably already use a DHCP server, especially if you're in a small office that shares a cable or DSL connection over a router. Your DHCP server automatically provides IP addresses to your network users. Get your router's IP addressyou'll need it for the next steps. If you've got a small office router, the IP address is usually 192.168.0.1 or 192.168.2.1, but check before proceeding.

Editing DHCP server settings

One of the packages you installed previously is a full-fledged DHCP server that's currently sitting idle. Before you can activate it, you need to configure it by editing the /etc/dhcpd.conf file. In a terminal window as the root user, enter the following command: By default, this file is mostly empty, leaving you with a blank canvas to work with. Enter the following text:
nano /etc/dhcp3/dhcpd.conf

option domain-name-servers 192.168.2.1; default-lease-time 50000; max-lease-time 100000; authoritative; subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.2 192.168.0.199; filename "netboot/pxelinux.0"; option subnet-mask 255.255.255.0; option broadcast-address 192.168.2.255; next-server 192.168.2.200; option routers 192.168.2.1; } subnet 172.16.106.0 netmask 255.255.255.0 { # Note: No range is given, vmnet-dhcpd will deal with this subnet. } subnet 172.16.191.0 netmask 255.255.255.0 { # Note: No range is given, vmnet-dhcpd will deal with this subnet. }

The file is described as follows, noting which parts you should modify to suit your environment:

There's no advantage to limiting the number of IP addresses in the allocatable range, so go with a larger rather than smaller number of IP addresses in the range.

option domain-name-servers and option routers: Replace 192.168.2.1 with your router's IP address. subnet: You should stick to the same subnet as your router. For example, if your router's address is 192.168.2.1, modify the subnet to 192.168.2.0. range: This option defines the range of IP addresses the server will allocate; in the example, there are 48 IP addresses available for clients to use. Depending on your network size, you might want a smaller or larger number. Just like the subnet mask, match the range to your router's address. For example, use 192.168.2.2 192.168.2.199. (The range looks odd, but you should leave only one space and nothing else between the first and last address.)

Configuring the xinetd daemon

Now you need to configure the xinetd daemon to start upon bootup, because TFTP requires this to work. To start xinetd, enter the following command: TFTP is automatically made available under xinetd, so you don't have to do any further configuration.

Filename: This tells the client which file to load. Only netboot/pxelinux.0 is listed here because the entry is relative to the /var/lib/tftpboot directory. next-server: This line should contain the IP address of the server on which the installation files will be located, that is, the local mirror server. Last two subnet statements: These prevent DHCP from allocating IP addresses to the virtual networks created for VMware. Because these are the default IP address ranges for VMware, if you've specified something different, you need to modify this section appropriately.

Activating the DHCP server

/etc/init.d/openbsd-inetd start

Now that you've got the DHCP server and xinetd configured, you need to activate the DHCP server. It's important to understand that you may have only one DHCP server active on your network at any one time, or you'll run into IP address conflicts. In fact, if you were to try to start the Debian DHCP server at this point, it would fail because it would detect an existing DHCP server (from your router). To enable the Debian DHCP server to function, you need to disable your router's DHCP server. Check your router's documentation to find out how to disable your DHCP server. The option is usually located in the LAN settings, but this differs from vendor to vendor. To activate the Debian DHCP server on your computer, at a root terminal enter:

Setting up the installation files on the server

After a few seconds, a message displays indicating the DHCP server has started "OK"this means the machine is now serving IP addresses to clients that are configured to use DHCP. If you see a "Failed" message, examine the output of /var/log/messages (type less /var/log/messages and press End). DHCP describes the problem, and the most likely fault is that you've entered a typo. Just double-check the dhcpd.conf file for accuracy.
/etc/init.d/dhcp3-server start

Once your new DHCP server is up and running, you can move on to the next step, which is configuring the files needed for PXE booting.

Setting up installation files on the server is fairly simple and involves editing a configuration file, followed by restarting some core system components 1. At a root command line, navigate to /var/lib/tftpboot/netboot/pxelinux.cfg/. 2. Open the default file in nano using the command nano default. This file tells tftpboot which files to use when netbooting a client. Notice that the prompt and timeout options are both set to 0. This means that tftpboot will automatically use the default files without prompting the user or waiting for a choice to be made. If you add additional distributions to your PXE server later on, then you may want to modify these entries.

1. Close nano. You haven't changed the default file, so there's no need to save it. 2. Restart the following three services to ensure they're using the latest configuration files. Enter the following commands in this order: Now you're ready to run the installation, which is covered in the next section.
/etc/init.d/dhcp3-server restart /etc/init.d/inetd restart /etc/init.d/apache2 restart

Testing the installation

The easiest way to test your PXE setup is to create a VM using VMware, as described in Lesson 1. Follow these steps: 1. 2. 3. 4.

If you completed Lesson 2's assignment, you don't need to use the installation DVDleave the optical drive empty.

Open VMware. Power on the virtual machine. Click inside the VMware window to pass control to the virtual machine. Press F12 on the keyboard to use the Network Boot option. After a few seconds, the Debian Installer boot menu screen should appear, as shown in Figure 3-1. This indicates your configuration was successful.

Figure 3-1: The Debian Installer boot menu screen. Enlarge image

You just completed your first PXE booted installation of Debian.

Assignment #3
For this assignment:

Moving on

1. Press Enter to start the Debian installation and set the language preferences as required. 2. At the stage where the installer asks you to select a mirror, scroll to the top of the list and select Enter information manually. 3. The first screen asks you to enter the hostname of the mirror. Enter your PXE server address (this lesson has been using 192.168.2.200 as an example, but substitute your address). Select Continue. 4. The next screen asks you to provide the path to the installation files; by default this is set to /debian/, which is correct for our purposes. 5. Continue installing Debian as usualconfigure your partitions, root password, first user account and so on. The time required for installation should decrease dramatically as a result of using a local mirror.

In this lesson, you learned how to configure a PXE boot installation server to automate client installations across a network. Your next step is to complete the assignment and then tackle the quiz for this lesson. The final lesson in Linux 401 deals with network security and takes a look at firewalls and intrusion detection, which work in the background to keep computers and your network safe. See you there.

You've now got a server that you can use as a local mirror and as an installation source for any clients on your network that support PXE booting. This proves especially useful if you have a lot of clients with the same hardware specifications and software requirements. However, you might decide that you want to PXE boot other Linux versions of Debian, such as the amd64 release. In this assignment, you'll learn how to do this using the net-install files for the amd64 release of Debian 5. 1. Create a new directory under the /var/lib/tftpboot/netboot directory called amd64, and then change to that directory using the following command: 1. Run the following command to download the amd64 installation files into your new directory:

cd /var/lib/tftpboot/netboot/amd64

lftp -c "open http://ftp.us.debian.org/debian/dists/lenny/main/ installer-amd64/current/images/netboot; mirror debian-installer/"

1. Change to the /var/lib/tftpboot/netboot/pxelinux.cfg directory and make a backup of the default file using the following command: 1. Open the default file in nano and delete all of its contents, and then enter the following:

cp default default.backup

DISPLAY boot.txt default lenny_32bit label lenny_32bit menu label ^Install menu default kernel netboot/debian-installer/i386/linux append vga=normal initrd=netboot/debian-installer/i386/initrd.gz - quiet label lenny_64bit menu label ^Install menu default

kernel amd64/debian-installer/amd64/linux append vga=normal initrd=amd64/debian-installer/amd64/initrd.gz - quiet prompt 1 timeout 0

1. Create a new file in /var/lib/tftpboot/netboot called boot.txt (using nano), and then enter the following text: 1. Save and close the file. 2. The next time you PXE-boot a client, you'll see the list of options to choose from. Just enter the name of the option you want at the boot: prompt and press Enter to boot into that environment.

Available Boot Options: lenny_32bit lenny_64bit

Quiz #3
A) B) A) B) A) B) A) B) A) B)

When a new version of Debian is released, you can replicate everything you learned in Lessons 1 through 3. Your network server will boot and install different versions of Debian, depending on your requirements. You can configure other Linux distributions to take advantage of your PXE boot server; however, this is beyond the scope of this class. Spend some time browsing the internet to get some ideas. Question 1: True or False: PXE stands for Post-boot Execution Environment. Question 2: What is the purpose of a DHCP server? C) D) Sets up PXE servers True FTP True False Transfers installation files between computers

Question 3: True or False: The file you need to edit to control your DHCP server settings is /etc/dhcpd.conf. Question 4: Which file transfer protocol does PXE booting use? C) D) C) D) HTTP NFS TFTP False

Automatically provides IP addresses to network users Pulls installation files from an online repository

Question 5: If run in daemon mode, what is the name of the daemon TFTP requires? xinetd pxed pxelinuxd default

The computer firewall: implementing network protection at

Protecting your computers and network

the perimeter

You can use security policies to keep your internal network safe, but additional measures are needed to stop threats at the perimeter. This lesson covers firewalls and intrusion detection systems for strong network security. Welcome back. In Lesson 3, you learned how to configure a local mirror server to provide client installation files across a network. In this lesson, you'll explore computer and network perimeter security. You'll begin by discovering some firewalling essentials, covering basic configuration of the firewall supplied with Debian. After that, you'll take a look at Snort, an intrusion detection and monitoring application that's highly useful in keeping intruders out of your system.

Debian is designed from the ground up to be a secure operating system, but no system is perfect. The worst possible scenario is that an unauthorized user remotely accesses your server, and destroys files and system settings in an attempt to "down" your computer. Therefore, effective perimeter defense is the key to making it as difficult as possible for someone to enter your network, perhaps giving you enough time to notice the attack and deal with it accordingly. Security is somewhat of a fine art, requiring a logical mind to successfully implement a secure network. However, it's important to note that no network is ever 100-percent securethere are always unpublished vulnerabilities or holes that seasoned attackers can use to penetrate your network.

With the explosion in internet connectivity, there's an increased threat of outsiders wanting unauthorized access to your system. It's not unusual to read stories about botnets, which are large networks of computers that have been penetrated by a malicious individual and subverted to carry out automated attacks against corporate and government networks. A botnet uses a small program that's loaded onto each victim's computer, enabling control from a remote source. The key to preventing this kind of attack is effective firewalling. Before you begin the section on using firewalls, however, you need to understand a few basic security issues first.

More services means more opportunities for attack

The more services you have running on a computer, the greater the chance it will succumb to an attack. More active services, such as postfix, apache2 or even a DHCP server, give more attack vectors for wouldbe hackers to follow in their attempt to gain control of your system. For this reason, it makes more sense to run multiple servers (that is, multiple computers) than to run one computer with several active services.

Using a strong administrator password

The most common method of entry to a network is by using the default administrator's password, or an easily guessed password. You'd be surprised how many computers have the administrator password set as "password" or "admin." It's critically important to set a strong password for your root account, and change it frequently (at least monthly). These passwords should be reasonably complex, and not based on a dictionary word to avoid dictionary attacks, whereby a hacker uses a program that automatically works through a predefined list of words to find a password match.

If you have multiple servers and one is compromised, there's a good chance the damage will be limited to that computer. However, if one server runs all of your services, you have potentially greater security problems, in addition to downtime your users will encounter while you repair any damage.

Using an internet security suite for virus and spyware protection

Every computer that accesses a network or the internet should run up-to-date antivirus and antispyware software. These tools are now essential to computer health and safety. You can find a number of good programsfree or for a feeby searching for internet security suites on the web.

Always running a firewall

Configuring a basic firewall

In addition to virus and spyware protection, you must always run a firewall, whether it's on your local computer or acting as a bridge between your network and the outside world. A firewall is a piece of software that allows you to open or close specific network ports through which traffic can flow. You could close all the ports to the computer, making it more difficult to get in, or you can allow specific ports to be open, such as port 80 for HTTP traffic or port 22 for Secure Shell (SSH) traffic. The effective configuration of a firewall is a significant step toward locking down your system to outside attack. In the next section, you'll learn how to configure a firewall by blocking or allowing traffic, as needed.

Debian comes with a decent firewall called netfilter/iptables, which is also found in most of the major Linux distributions. However, you need to install additional software to be able to easily configure it. For purposes of this class, it's recommended you use Firestarter, which has an easy-to-use GUI interface. Run the apt-get update command at a root prompt, and then run the apt-get install firestarter command to install Firestarter. You can also use Synaptic Package Manager in the GUI to install Firestarter. To configure a firewall in Debian using Firestarter, follow these steps: 1. Select System > Administration > Firestarter, and then enter the root password, if prompted. The Firewall Wizard starts. Click Forward. 2. On the Network device setup screen, confirm the network interface you want to configure the firewall for. Commonly it's eth0, but you may need to select another interface depending on your requirements. If you're using a static IP address, make sure you uncheck the IP address is assigned via DHCP option. Click Forward.

Figure 4-1: The Network device setup screen. Enlarge image

1. Skip the Internet connection sharing setup screen by clicking Forward. 2. Click Save on the final screen. The main Firestarter window appears, as shown in Figure 4-2.

Figure 4-2: Firestarter has finished its initial configuration; now you can add, amend and delete rules as needed.

1. In Firestarter, click the Policy tab to switch to the editing area of Firestarter. Here you can choose to allow specific hosts or ports to be opened for both inbound and outbound traffic. Click in the Allow service text box, and then click the Add Rule button on the toolbar. 2. When the Add new inbound rule dialog box appears, use the drop-down menu to select HTTP, as shown in Figure 4-3, or just enter 80 in the Port field. Click the Add button to add that port or service to your proposed ruleset.

Figure 4-3: Firestarter comes prepopulated with a number of common ports.

Enlarge image

Using an intrusion detection system

You can also use Firestarter to specifically block outgoing access on a port or a service. For example, if you want to block access to Telnet for everyone (Telnet is a highly insecure service), you could explicitly define a deny Telnet policy using an outbound rule. Just change the drop- down menu option on the Policy tab to Outbound Connections, and add a rule similar to the HTTP rule created in this section. Now that you know how to configure a simple firewall in Debian, read on to learn about intrusion detection using Snort. Creating a firewall is a good security practice but it's not failsafe. A running joke among system administrators is that a computer is only secure if it's been disconnected from everything and buried in 20 feet of dirt. Although a firewall will keep the majority of malicious individuals out of your network, there will still be attempts to compromise your system using allowed ports and services. The key is being able to monitor those services for signs of attack, and that's where Snort comes in.

Never allow all traffic on an externally facinginternet-facingnetwork interface. It's analogous to handing out copies of your front door key at the local mall, along with details of how to get to your house.

1. You haven't yet enforced the policy. To do so, click Apply Policy on the toolbar. The policy is written to the firewall and will now allow traffic on port 80.

Snort is a powerful, open source intrusion detection system (IDS). It works by analyzing network packets flowing into and out of a system. Literally thousands and thousands of packets can be transmitted daily by browsing the internet, checking for system updates, and allowing someone to connect to your FTP server to upload files. Traffic is also generated by someone electronically "knocking on your door" using a tool such as Nmap or the ping utility. Snort lets you know if suspicious activity is occurring that needs your attention. To install Snort, use Synaptic to search for the Snort package or use apt-get install snort at the command line. Snort is almost completely driven from the command line, so after installation, open a terminal window and switch to a root prompt. To confirm that the snort service is installed, issue the snort command. You should see a long list of options for Snort. To see how much data Snort captures, issue the following command in a root terminal:

This starts Snort in verbose mode, which means that Snort displays any activity it detects, both incoming and outgoing. Open a web browser and browse a few different websites, or run update-manager for your system. It's likely that Snort's output will display many rows of information. When you connect to websites, you send information out of your system and each website may send information back to you. You might also see local chatter going on between your system and other computers on your network.
snort -v

Press Ctrl+C to kill Snort and after a few seconds. A summary of the activity that Snort has captured appears. It shows you a breakdown of network packets captured by protocol, as well as the length of time Snort was active. Fortunately, Snort makes extensive use of rules to help organize collected data into useable information.

The output doesn't mean much at the moment, because it's just a flood of information onto your terminal. It's much more useful to be able to divert the output into a log file, but even then the amount of data produced can be voluminous.

When you install Snort within Debian, it comes with a large set of pre-packaged rules that provide a foundation for protecting your system and network. Once you've installed Snort, it runs as a background service or daemon and immediately begins collecting data on access attempts into and out of your system. The crucial file to keep an eye on is /var/log/snort/alerts. If you have been running Snort for more than a few minutes, you might already have some entries in the alerts file. Run the following command to display the contents:

Depending on how "chatty" your network is, or if your system is under attack, there might be only a few rows of data or hundreds of rows.
less /var/log/snort/alerts

Snort does a good job of classifying individual alerts, so you may see some alerts such as Double Decoding Attack or Attempted Information Leak. Linked to each alert is a timestamp that looks something similar to the following: Basically, this is the month and day, followed by the time the event was detected.
08/25-16:35:44.349624

It's important that all your systems share the same time information if you are to successfully defend against an attack. The easiest way to do this is to set them all to synchronize against an internet time source. On the same line you'll see two IP addresses in the following format:

The first address shows the source IP address (before the colon) along with the source port number (after the colon). The second address is the destination IP address (before the colon) along with the destination port number (after the colon). Therefore, the following means that the source computer (192.168.2.200) made a connection from port 80 to the destination computer (192.168.2.8), also on port 80:
x.x.x.x:x -> x.x.x.x:x

The next line of an alert gives you more information on the packet itself, such as how many hops the packet may make before it's discarded, the length of the header and the size of the packet itself. Snort provides links to websites that explain each event and provide vulnerability information.
192.168.2.200:80 ->192.168.2.8:80

General security best practices

Snort doesn't protect your data from being stolen by electronic means, nor does it prevent people from accessing your system via the network. Rather, it's intended to give you a clear view of the activity on your network, which might indicate the presence of an attacker or unauthorized individual trying to gain access to your system. The more you know about the attack, the better chance you have of effectively locking out that attacker. Now that you know the essentials of Snort, read on to pick up some general security best practices.

In this lesson, you've learned how to configure a firewall and use Snort to monitor network activity and detect intruders. Both are important parts of a layered security defense. In this final section, you'll learn some general security best practices that build on that foundation.

Keeping your system updated

One of the best ways you can protect a system against attacks is to keep it up to date. The Debian project continuously releases security updates and patches for software, so you should check periodically for updates and install them as soon as you can. That way you can be sure you're running the most secure version of software possible.

To take some of the pain out of getting updates, you can elect to either install the security updates without confirmation (the latest security-related patches install automatically) or download the updates in preparation for installation. You can access these options by going to System > Administration > Software Sources and clicking the Updates tab, or editing the sources.list file.

Some people are wary of installing updates immediately after release for fear of introducing bugs into the system. During the life cycle of Debian 5, no major changes are made to versions of software that are installed. Instead, you get a range of minor updates, primarily bug fixes but also security patches, all of which refine the existing application that's been installed without introducing the opportunity for incompatibility between different versions of applications. For busy systems administrators, it's recommended you choose the option to download all the updates in the background because this will save time when you install them. Update Manager will still prompt you when updates are available, but it will start to install them immediately as they have already been downloaded locally.

Enforcing password policies

One thing you can never underestimate is the value of a good password. It's often said that users are the weakest link in the system and network security chain, so it's a good idea to ensure your users are using secure passwords that are changed frequently.

Password frequency and duration

The first step is to enforce frequent changing of passwords on your users. You can do this by editing the contents of the /etc/shadow file, which contains the encrypted password and also other settings relating to each individual user account. In a root terminal, issue the command less /etc/shadow to display the contents of the file in the terminal. You'll see output similar to the following: A colon separates each item of information. From the left, you'll find:
User:$JNnbBb80oinNknunNmnllncdjn:14853:0:9999:7:::

Directly editing the /etc/shadow file can cause problems that might not be immediately apparent. The best way to make changes is to edit the /etc/login.defs file to set global options that will be enforced whenever you create a new user. You'll find a number of lines commented out in this file, most of which are fairly selfexplanatory. To force users to change their passwords every quarter, you can change the PASS_MAX_DAYS parameter to 90. You could also force them to use a unique password by entering a figure for the minimum number of days between password changes after the PASS_MIN_DAYS parameter. That way, you protect your system against users changing their password and then instantly changing it back to the previous one that's easy to

The user name The encrypted password The number of days since Jan 1, 1970, that the password was last changed The minimum number of days required between password changes The maximum number of days the password is valid The number of days that the user is warned before its password is due to be changed The number of days after the password expires that the account is automatically disabled The number of days that the account has been expired since Jan 1, 1970

remember.

If you're setting the maximum age for a password, give the users some notice that they need to change their passwords. You can do this by entering a value after the PASS_WARN_AGE line7 days is usually adequate but you may prefer a longer period such as 14 days to catch anyone who may be on vacation at the time.

Strong passwords

Setting durations for passwords is a good practice, but what about preventing users from creating relatively simple passwords? To do this, you need to install some additional software. Open a root terminal and use the command apt-get install libpam-passwdqc. This installs a package that will let you enforce the creation of strong passwords that match specific criteria. You need to open /etc/pam.d/password-common in a text editor (such as nano) to configure your policy. At the top of the file, enter a new line as follows: Scroll through the file until you reach the line that's uncommented and add the syntax use_first_pass after pam_unix.so and before nullok. Save the file. Now you've got a strong password complexity policy that's enforced for users only.
password required /lib/security/pam_passwdqc.so min=disabled,disabled,10,7,6 enforce=users ask_oldauthtok

In every case, you need to uncomment the line to enable the command; uncommenting means removing the pound (#) symbol at the beginning of a line.

To explain what's going on, let's take a look at the first line. We're telling PAM (Pluggable Authentication Modules, an easy way to quickly add levels of authentication to Debian) that it must use pam_passwdqc.so when any password function is required. The first option on (min) sets minimum lengths for the various types of character classes. The first "disabled" statement means you're explicitly disabling users from being able to create passwords that contain only one character class, so the password linuxiscool would not be allowed because it only has the lowercase character class. Character classes represent different types of ASCII characters, for example, lowercase letters are one character class, capital letters are another. Then you have numbers and punctuation, such as $(%^). It's generally accepted that the more character classes there are in a password, the harder that password is to crack. The second "disabled" statement represents passwords that contain two character classes. For example, LinuxIsCool would normally be allowed because it contains characters from the lowercase and the capital classes. However, you have explicitly disabled passwords with only two character classes. The third option (10) represents a minimum character count for a passphrase-based password; this is a string of words that make up a passphrase, so expanding on our example, Linux Is Cool would be allowed because it contains more than 10 characters. You can disable this type of password if you want.

The fourth option (7) represents a minimum number of characters for passwords that contain at least three character classes. Linux1sCool would be suitable because it has capital letters, lowercase letters and one number.

The fifth option (6) gives a minimum acceptable number of characters for passwords that contain at least four character classes. Our example would have to be Linux1sCoo! for it to be acceptable to the system.

The enforce=users option limits the restrictions to user accounts only. If you don't include this option, the root account will be subject to the same restrictions as users, which may or may not be desirable depending on your specific requirements. The ask_oldauthtok option makes passwdqc play nicely with the existing authentication system; the second part of this is using use_first_pass as an option after pam_unix.so. It's absolutely essential that the line containing passwdqc appears before the pam_unix line because Debian will process these in a linear fashion.

Assignment #4
For this assignment:

Moving on

That's it for Linux 401. We hope you've learned a lot about Linux, and Debian in particular, and gained some useful tips and ideas from the four lessons. Don't forget to complete the assignment and take the quiz for this lesson, or any others you might have skipped during the class. In this modern age of almost ubiquitous internet connectivity, the number of channels that potential hackers can use to gain access to a computer system can be bewildering. Identifying the gaps in your security policy can help make your system more secure.

1. Thoroughly review your current firewall policy to ensure you're allowing access only to necessary services. For example, if you don't share printers using the Internet Printing Protocol (IPP), ensure the service is disabled, thus locking out potential hacker traffic. Be careful not to lock down everything. You might require access to the HTTP and TFTP ports, for example, especially if you're refining the firewall policy on the server running your local mirror and PXE boot installation from Lessons 2 and 3. The best way to start is to be totally restrictive, and then gradually open ports as you have a specific requirement.

Opening all the ports on your firewall is never recommended, and can easily result in a security breach on your system. In addition, don't allow full access to a network interface unless you have a good reason to do so.

Quiz #4
A) B) C) D)

Question 1: What are the benefits of a firewall? (Check all that apply.) To securely allow access to your system To let users view your log files To allow the sharing of your home directory

1. Once you've configured a firewall policy, install and start Snort. A great way to test it out is to try accessing the Snort machine from another machine using SSH or even trying to browse to it. An even better way to get a feel for the kind of alerts Snort generates is to install Nmap along with Zenmap (a GUI frontend for Nmap, which you'll find under Applications > Internet). Use the IP address of your Snort machine as the target, and then set the profile to Intense Scan before clicking the Scan button. Keep an eye on your Snort system, particularly the alerts file. 2. Consider a workable password policy for your users. Is forcing them to change their passwords frequently a good thing, or are you simply forcing them to write their password on sticky notes that inevitably get stuck to their monitors? Think about the level of password complexity you wish to enforce on your users, along with what your minimum number of character classes should be. To allow or disallow network traffic on specific ports

Question 2: What is Snort? (Check all that apply.) A) B) A) B) A) B) C) D) C) D) C) D) An IDS A network packet analysis tool /etc/passwords/ /etc/ /etc/pam.d/

Question 3: Where is the password-common file located that contains information on password configuration? Question 4: What does min=10,9,8,7,6 represent in the /etc/pam.d/password-common file? (Check all that apply.) All character classes are allowed in passwords, along with passphrase passwords. Passwords with two character classes must have a minimum of 8 characters. Passwords with one character class must have a minimum of 10 characters. Passwords with five character classes are allowed. 2003 - 2010 Powered, Inc. /etc/config/passwds

A tool that copies data from other machines

A GUI tool for configuring network interfaces